{#
# Copyright 2015 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#}
<!doctype html>
<html>
<head>
  <title>Talisman sample app</title>
</head>
<body>

<h1>Talisman + Seasurf Sample</h1>

{% if message: %}
<h3>Your message:</h3>
<div>{{message}}</div>
{% endif %}

<form method="POST">
  <input type="hidden" name="_csrf_token" value="{{csrf_token()}}">
  <textarea name="message" placeholder="Enter message..."></textarea>
  <button type="submit">Submit</button>
</form>

<script>
  // This script is forbidden
  console.log("Oh no, this should not have run!!")
</script>

<script nonce="{{ csp_nonce() }}">
  // This one isn't
  console.log("Yay, nonce allowed to run this.")
  navigator.geolocation.getCurrentPosition(function(position) {
    console.log('Oh no, geolocation access should be denied');
  });
</script>

</body>
</html>
